public static OMEROMetadataStoreClient mockStore(ServiceFactory sf, String password)
      throws Exception {

    System.setProperty("omero.testing", "true");
    OmeroContext inner = sf.getContext();
    OmeroContext outer =
        new OmeroContext(
            new String[] {
              "classpath:ome/services/messaging.xml", // To share events
              "classpath:ome/formats/fixture.xml",
              "classpath:ome/services/blitz-servantDefinitions.xml",
              "classpath:ome/services/throttling/throttling.xml",
              "classpath:ome/config.xml"
            },
            false);
    outer.setParent(inner);
    outer.refresh();

    EventContext ec = sf.getAdminService().getEventContext();
    String username = ec.getCurrentUserName();
    long groupid = ec.getCurrentGroupId();

    MockFixture fixture = new MockFixture(new MockObjectTestCase() {}, outer);
    omero.client client = fixture.newClient();
    // Fixing group permissions from 4.2.0
    client
        .createSession(username, password)
        .setSecurityContext(new omero.model.ExperimenterGroupI(groupid, false));
    OMEROMetadataStoreClient store = new OMEROMetadataStoreClient();
    store.initialize(client);
    return store;
  }
Example #2
0
 public Principal principal() {
   if (principalHolder.size() == 0) {
     return null;
   } else {
     EventContext ec = principalHolder.getCurrentEventContext();
     String session = ec.getCurrentSessionUuid();
     return new Principal(session);
   }
 }
  public boolean isOwnerOrSupervisor(IObject object) {
    if (object == null) {
      throw new ApiUsageException("Object can't be null");
    }
    final Long o = HibernateUtils.nullSafeOwnerId(object);
    final Long g = HibernateUtils.nullSafeGroupId(object);

    final EventContext ec = getCurrentEventContext();
    final boolean isAdmin = ec.isCurrentUserAdmin();
    final boolean isPI = ec.getLeaderOfGroupsList().contains(g);
    final boolean isOwner = ec.getCurrentUserId().equals(o);

    if (isAdmin || isPI || isOwner) {
      return true;
    }
    return false;
  }
Example #4
0
  public boolean doLogin(boolean readOnly, boolean isClose) {

    try {
      secSys.loadEventContext(readOnly, isClose);
    } catch (SessionTimeoutException ste) {
      // If this is a CloseOnNoSessionContext then we skip all handling
      // since almost any action by the close() method will try to load
      // the context and will fail. This assumes that EventHandler is
      // the most inner handler. If this changes, then this logic may
      // need to be pushed down further.
      if (ste.sessionContext instanceof BasicSecurityWiring.CloseOnNoSessionContext) {
        log.debug("CloseOnNoSessionContext. Skipping");
        return false;
      }
      throw ste;
    }

    // now the user can be considered to be logged in.
    EventContext ec = secSys.getEventContext();
    if (!readOnly) {
      sql.prepareSession(ec.getCurrentEventId(), ec.getCurrentUserId(), ec.getCurrentGroupId());
    }
    if (log.isInfoEnabled()) {
      StringBuilder sb = new StringBuilder();
      sb.append(" Auth:\tuser="******",group=");
      sb.append(ec.getCurrentGroupId());
      sb.append(",event=");
      sb.append(ec.getCurrentEventId());
      sb.append("(");
      sb.append(ec.getCurrentEventType());
      sb.append("),sess=");
      sb.append(ec.getCurrentSessionUuid());
      Long shareId = ec.getCurrentShareId();
      if (shareId != null) {
        sb.append(",share=");
        sb.append(shareId);
      }
      log.info(sb.toString());
    }
    return true;
  }
  /**
   * @see SecuritySystem#isGraphCritical()
   * @return
   */
  public boolean isGraphCritical() {
    EventContext ec = getCurrentEventContext();
    long gid = ec.getCurrentGroupId();
    Permissions perms = ec.getCurrentGroupPermissions();

    boolean admin = ec.isCurrentUserAdmin();
    boolean pi = ec.getLeaderOfGroupsList().contains(gid);

    if (perms.isGranted(Role.WORLD, Right.READ)) {
      // Public groups (rwrwrw) are always non-critical
      return false;
    } else if (perms.isGranted(Role.GROUP, Right.READ)) {
      // Since the object will be contained in the group,
      // then it will be readable regardless.
      return false;
    } else {
      // This is a private group. Any form of admin modification is
      // critical.
      return admin || pi;
    }
  }
Example #6
0
  private void throwSecurityViolationIfNotAllowed(final IObject i) {

    final String type = i.getClass().getName();
    final Details d = i.getDetails();
    final long user = d.getOwner().getId();
    final long group = d.getGroup().getId();

    final EventContext ec = getSecuritySystem().getEventContext();
    final boolean root = ec.isCurrentUserAdmin();
    final List<Long> leaderof = ec.getLeaderOfGroupsList();
    final boolean pi = leaderof.contains(group);
    final boolean own = ec.getCurrentUserId().equals(user);

    if (!own && !root && !pi) {
      if (log.isWarnEnabled()) {
        log.warn(
            String.format(
                "User %d attempted to delete " + type + " %d belonging to User %d",
                ec.getCurrentUserId(),
                i.getId(),
                user));
      }
      throw new SecurityViolation(
          String.format("User %s cannot delete %s %d ", ec.getCurrentUserName(), type, i.getId()));
    }
  }
Example #7
0
 /* Java6 only - @Override */
 public void onApplicationEvent(ContextMessage msg) {
   final CurrentDetails cd = secSys.cd;
   final Session session = factory.getSession();
   if (msg instanceof ContextMessage.Pop) {
     secSys.disableReadFilter(session); // Disable old name
     cd.logout();
     secSys.enableReadFilter(session); // With old context
   } else if (msg instanceof ContextMessage.Push) {
     // We assume don't close and use the current readOnly setting
     final EventContext curr = cd.getCurrentEventContext();
     final boolean readOnly = curr.isReadOnly();
     final boolean isClose = false;
     // here we try to reproduce what's done in invoke
     // with the addition of having a call context
     // ourselves
     secSys.disableReadFilter(session); // Disable old name
     cd.login(cd.getLast()); // Login with same principal
     cd.setContext(msg.context);
     if (!doLogin(readOnly, isClose)) {
       throw new InternalException("Failed to login on Push: " + msg.context);
     }
     secSys.enableReadFilter(session); // With new context
   }
 }